Commit 215a2dd3 authored by Eric Paris's avatar Eric Paris Committed by David S. Miller

[IPSEC]: Add xfrm policy change auditing to pfkey_spdget

pfkey_spdget neither had an LSM security hook nor auditing for the
removal of xfrm_policy structs.  The security hook was added when it was
moved into xfrm_policy_byid instead of the callers to that function by
my earlier patch and this patch adds the auditing hooks as well.
Signed-off-by: default avatarEric Paris <eparis@redhat.com>
Acked-by: default avatarVenkat Yekkirala <vyekkirala@trustedcs.com>
Acked-by: default avatarJames Morris <jmorris@namei.org>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent ef41aaa0
...@@ -2537,7 +2537,7 @@ static int pfkey_migrate(struct sock *sk, struct sk_buff *skb, ...@@ -2537,7 +2537,7 @@ static int pfkey_migrate(struct sock *sk, struct sk_buff *skb,
static int pfkey_spdget(struct sock *sk, struct sk_buff *skb, struct sadb_msg *hdr, void **ext_hdrs) static int pfkey_spdget(struct sock *sk, struct sk_buff *skb, struct sadb_msg *hdr, void **ext_hdrs)
{ {
unsigned int dir; unsigned int dir;
int err; int err = 0, delete;
struct sadb_x_policy *pol; struct sadb_x_policy *pol;
struct xfrm_policy *xp; struct xfrm_policy *xp;
struct km_event c; struct km_event c;
...@@ -2549,16 +2549,20 @@ static int pfkey_spdget(struct sock *sk, struct sk_buff *skb, struct sadb_msg *h ...@@ -2549,16 +2549,20 @@ static int pfkey_spdget(struct sock *sk, struct sk_buff *skb, struct sadb_msg *h
if (dir >= XFRM_POLICY_MAX) if (dir >= XFRM_POLICY_MAX)
return -EINVAL; return -EINVAL;
delete = (hdr->sadb_msg_type == SADB_X_SPDDELETE2);
xp = xfrm_policy_byid(XFRM_POLICY_TYPE_MAIN, dir, pol->sadb_x_policy_id, xp = xfrm_policy_byid(XFRM_POLICY_TYPE_MAIN, dir, pol->sadb_x_policy_id,
hdr->sadb_msg_type == SADB_X_SPDDELETE2, &err); delete, &err);
if (xp == NULL) if (xp == NULL)
return -ENOENT; return -ENOENT;
err = 0; if (delete) {
xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL);
if (err)
goto out;
c.seq = hdr->sadb_msg_seq; c.seq = hdr->sadb_msg_seq;
c.pid = hdr->sadb_msg_pid; c.pid = hdr->sadb_msg_pid;
if (hdr->sadb_msg_type == SADB_X_SPDDELETE2) {
c.data.byid = 1; c.data.byid = 1;
c.event = XFRM_MSG_DELPOLICY; c.event = XFRM_MSG_DELPOLICY;
km_policy_notify(xp, dir, &c); km_policy_notify(xp, dir, &c);
...@@ -2566,6 +2570,7 @@ static int pfkey_spdget(struct sock *sk, struct sk_buff *skb, struct sadb_msg *h ...@@ -2566,6 +2570,7 @@ static int pfkey_spdget(struct sock *sk, struct sk_buff *skb, struct sadb_msg *h
err = key_pol_get_resp(sk, xp, hdr, dir); err = key_pol_get_resp(sk, xp, hdr, dir);
} }
out:
xfrm_pol_put(xp); xfrm_pol_put(xp);
return err; return err;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment